When authorising a xero API connection, is there a way to pass parameters to the redirect URI so they are passed back so that i can identify the client or other information in the redirect back?
https://localhost:44367/integrations/xeroconnect?&clientId={ID}
Related
Does the authorization server directly sends the auth code to the Redirect URI that the client specified or else Is there an Intermediate to whom the auth code will be sent first? If the auth code will be sent to the redirect URL ,then that redirect URL is an endpoint of the client's backend server?
Yes, the authorization code is sent from the authorization server to the web-backend-server via the browser redirect URL
Why via the browser:
Because it's the application the user used to consent/login
Why auth code not token:
Because URLS are visible in browser and network appliances
The step after that is the web-backend-server will exchange the auth code with a token from the auth server
All other steps of OAuth2 are clear to me except the concept of the re-direct URL.
I am querying an API end-point (Bitbucket) via Postman. When registering my application with Bitbucket, it asks me for a redirect end-point. I puzzled over this for a while and tried a random URL - https://random-appxxxx.com/
In Postman, if I entered all the info correctly (client id,secret,access-token URL etc.) along with that random URL, it works perfectly and I am not sure why that is. If I understand correctly, the redirect URL (i.e. callback URL) is where the user is directed to after the client application is authorized.
So, how does Postman read the code from the redirected URL - https://random-appxxxx.com/?code={random string} since the authorization server is sending the code to an invalid url ?
For an Auth 2.0 code flow you need to make an Authorization Request and then Access Token Request.
Postman acts as a browser, a redirect response after Authorization Request from the server is the same as a response of a post request after the Access Token Request.
Postman calls the Auth URL you defined and expect a response of redirect to callbackURL?code=auth_code.
Then call the Access Token URL with that auth_code like described in the RFC6749
Postman doesn't need to call the redirect URL because he finish the handshake instead of your server.
I'm writing a Go application which has to authenticate using auth0. This is done similar to how Google do it, by creating a HTTP server and setting the callback url to localhost
https://developers.google.com/identity/protocols/OAuth2InstalledApp
Instead of sending the access_token in the HTTP body, it stored the token in the URL which could be cached by the browser/proxy.
http://127.0.0.1:36572/auth0/authenticate/#access_token=eyJ0...truncated...SVYsfTThUhssJSh2C9FSvSGFusdw&expires_in=7200&token_type=Bearer&state=QuSsUxSZkYtFi7QPJkpxB9VI23lO3x4W
How do I configure auth0 to make the callback request to http://127.0.0.1:36572/auth0/authenticate, and store the sensitive tokens in the HTTP response body?
Thanks
EDIT: https://auth0.com/docs/api-auth/tutorials/authorization-code-grant-pkce
Let's say, in Oauth implicit flow, the redirect uri I provided is http://www.abc.de/de
Then the oauth2-server will responde with a 302 and the location will say something like:
http://www.abc.de/de#access_token=blabla&token_type=bearer
Then my browser redirects me to http://www.abc.de/de without the url hash part, right?
How is the url hash added to my redirect uri? Does the Outh2-server simply add it and then set the location to that value?
And how do I know that the value given in the access_token is trustworthy? The location is part of the http request right? So while url hashes are not sent to the server, the location value could be intercepted and meddled with by a MITM attack.
Or am I mixing things up here?
i think the identity server will never send those token back unless the url is added to trusted urls on the server.
so if someone create a page in the middle and make people authenticate on it, will never get the token back because the client url is not trusted
I want to add a parameter in youtube API redirect uri dynamically. I know we can't change the redirect uri dynamically. Is there any way to modify the auth url to add a parameter there and extract it after authentication.
As per the answer in this SO post,
You cannot add anything to the redirect uri, redirect uri is constant as set in the app settings of Oauth. eg
:http://www.example.com/redirect.html
To pass several parameters to your redirect uri, have them stored in state parameter before calling Oauth url, the url after
authorization will send the same parameters to your redirect uri as
state=THE_STATE_PARAMETERS
For further studies, you can check this documentation from YouTube API.